On 16 December 2015 at 13:01, Alexey Eromenko <al4321@xxxxxxxxx> wrote: > We can't defend vs Mangling devices fully, sadly. (without encryption) > What if data-mangling device (NAT), changes port, and re-computes new > good checksum on it... ? > Server will accept a valid-data of a packet, that doesn't belong to the Being self-centered bastard I don't care about NAT or other devices which intentionally mangle packets. Protecting against them is not priority to me. If the data mangling happens in Internet core, it affects everyone, it's priority that those issues are recognised at the next hop, so that it's easy to identify which node mangled it. It's WAY smaller problem domain when you're faced with 'there are some mangled packets' when everyone who complains happens to behind specific NAT box. Compared to if it's some tier1 router is silently mangling, complaints can come anywhere in the world, triangulating that to one specific router in the world is slow and expensive (i.e. not gonna happen). -- ++ytti